Could an online, government-issued ID be a safer way to prove who you are online without giving companies your personal details?
The federal government hopes so, and last week moved it one step closer to setting up such a system when the Senate approved its Digital ID bill.
The bill would establish a voluntary identity verification service, building on the existing myGovID which is already used by 10.5 million Australians to access government services.
Loading...The proposed service could also be used by private companies. The idea is that companies could verify their customers without needing to collect and store sensitive info such as addresses, phone numbers or passports, which could be vulnerable to misuse or cyber crime.
That promises simplicity to customers weary of myriad forms, passwords and verification practices for everything from banks to streaming services.
But while that may appeal to some, others will be sceptical of any government data collection.
Establishing a 'social licence' for the digital ID — that is, engendering the trust that will make people want to use it — will present a challenge, just as it has for previous government data initiatives like My Health Record.
The Senate spent considerable time debating the rules and safeguards that should underpin the system.
The government's bill was amended dozens of times, and the Coalition and right-wing crossbenchers voted against it.
The bill will now go to the House of Representatives, where its passage into law is assured. But the scheme may yet face teething issues during its rollout.
How it would work
The proposal is to expand the use of the existing myGovID.
That ID is already in use for federal government services, but it operates without legislation.
The government's plan is to set up a formal legal framework so the ID can be expanded first to state and territory governments and then to private companies.
The Coalition had similar plans in the last term in government and got as far as a draft bill, but failed to introduce that bill to parliament before the 2022 election.
Under the system, if a company wanted to verify its customer's identity, the customer could choose to use their government digital ID.
Just like the current process for accessing Service Australia, the ATO or Medicare, the customer would be redirected to myGov to confirm their ID, resulting in confirmation being given to the company.
Companies must obey rules to join
In order to participate in this system, private companies would need to be accredited by the government.
Accreditation would require proof that the company had secure data storage practices in place.
The idea would be that companies would need to collect less customer data if they use the digital ID, but they may still collect basic personal info or some record of government verification, which could pose a security threat if not properly managed.
Accreditation would also come with strings attached. Companies would have to obey stricter rules about how they use customer data, in addition to the rules already set out in the Privacy Act.
For example, they would need to get explicit customer consent before sharing personal information with third parties.
There would be prohibitions on using personal information to profile customers, or for direct marketing purposes.
And there would be restrictions on the use and retention of biometric data (e.g. data used for facial recognition).
Under amendments passed by the Greens, companies could also be required to ensure they do not use biometric data to discriminate against customers based on their characteristics.
This accreditation process would be overseen by the finance minister in co-operation with four bureaucrats, each with distinct responsibilities.
Accreditation could be revoked if a company experiences a cyber breach, or if authorities believe a breach is imminent.
Finance Minister Katy Gallagher will also have the power to stagger the rollout of the system, and has indicated that private companies may have to wait as long as two years before they can join.
The Coalition cited this delay as one reason for voting against the bill.
Privacy and social licence
But at least some Coalition senators also voiced concerns about privacy. Matt Canavan and Gerard Rennick expressed dissent during the Senate committee process, as did One Nation's Malcolm Roberts.
One fear the senators raised was that the voluntary scheme could eventually be made compulsory. The government's scheme is voluntary and it has no plans to make it compulsory, which would in any event require fresh legislation.
But hundreds of individuals made submissions to that Senate process to voice similar concerns, pointing to the likelihood of vocal scepticism in some quarters.
Senator Gallagher called the senators "conspiracy theorists" and accused the Coalition of appeasing them.
"[Coalition senators] in their tin foil hats are running amok in the Senate," she said.
But Greens Senator David Shoebridge warned those concerns could threaten the social licence for the scheme. The Greens and the government voted together on two amendments designed to address the concerns.
One will require participating companies and government service providers to ensure they have a "reasonably accessible" alternative way for customers to verify their ID, and that nobody is treated unfavourably for choosing not to use the ID.
The other will require law enforcement agencies to report to the Attorney-General if they seek to access any personal data stored in the government ID, and for the Attorney-General to publicise this.
Senator Shoebridge said the data collected for a digital ID would not be useful for law enforcement, since it would contain no new information they could access elsewhere.
But he said that by giving them access, the bill could "create the false impression that it creates a new honey pot of data and that inevitably undermines public confidence in the reform."